Maik Brauer
2007-May-13 13:15 UTC
[Xen-users] IPtables "ctstate RELATED,ESTABLISHED" are not working
Hello, after installing XEN 3.0.4-1 and setting up iptables for that, I''ve some problems with the ctstate traffic, which is blocked from IPtables. Below a short printout is available from my /var/log/kern.log: -------- May 13 17:05:13 debian4 kernel: IN=eth0 OUT= PHYSIN=peth0 PHYSOUT=vif0.0 MAC=00:13:8f:0f:5b:c7:00:04:0e:66:da:c8:08:00 SRC=172.16.76.15 DST=172.16.76.99 LEN=117 TOS=0x00 PREC=0x00 TTL=64 ID=2091 PROTO=UDP SPT=53 DPT=32769 LEN=97 --------- The DST is my Debian Linux Server and the SRC is the DSL-LAN Router which is connected to the Internet. My iptables-config is the following: debian4:/boot# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT 0 -- anywhere anywhere ACCEPT tcp -- anywhere debian4.xxxxx.net tcp dpt:ssh ACCEPT 0 -- anywhere anywhere ctstate RELATED,ESTABLISHED LOG 0 -- anywhere anywhere LOG level warning DROP 0 -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination So to avoid that the firewall will block the traffic though the bridge I can use the command: sysctl -w net.bridge.bridge-nf-call-iptables="0" which is working. Then everthing is fine. But this is not the real solution. It should work without this. So my question is now, did I forget something or is this a known bug in XEN. Is anybody who is sharing this problem with me Thanks Regards, Maik Brauer _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Tim Barbour
2007-May-13 20:08 UTC
[Xen-users] IPtables "ctstate RELATED,ESTABLISHED" are not working
Maik Brauer writes:
> after installing XEN 3.0.4-1 and setting up iptables for that,
I''ve some
> problems with the ctstate traffic, which is
> blocked from IPtables. Below a short printout is available from my
> /var/log/kern.log:
> --------
> May 13 17:05:13 debian4 kernel: IN=eth0 OUT= PHYSIN=peth0 PHYSOUT=vif0.0
> MAC=00:13:8f:0f:5b:c7:00:04:0e:66:da:c8:08:00 SRC=172.16.76.15
> DST=172.16.76.99 LEN=117 TOS=0x00 PREC=0x00 TTL=64 ID=2091 PROTO=UDP
> SPT=53 DPT=32769 LEN=97
I recently upgraded to Xen 3.0.4-1, and encountered the same (or very similar)
problem.
May 13 12:51:25 elysium INPUT IN=eth0 OUT= PHYSIN=peth0 PHYSOUT=vif0.0
MAC=00:0f:ea:43:13:6a:00:14:bf:94:c1:0f:08:00 SRC=199.7.66.1 DST=10.137.1.1
LEN=268 TOS=0x00 PREC=0x00 TTL=58 ID=62618 DF PROTO=UDP SPT=53 DPT=33689 LEN=248
My firewall rules are automatically generated (from a Haskell script), and
worked fine with the earlier version of Xen. The rules are a bit lengthy, so I
have appended a cut-down version of them at the end of this message (the omitted
rules deal with other ports, which should be irrelevant).
> So to avoid that the firewall will block the traffic though the bridge I
> can use the command:
>
> sysctl -w net.bridge.bridge-nf-call-iptables="0"
This also restores traffic for me - thank you.
> which is working. Then everthing is fine. But this is not the real
> solution. It should work without this.
> So my question is now, did I forget something or is this a known bug in
XEN.
I have the same question.
> Is anybody who is sharing this problem with me
I think I am.
Tim
---
Chain INPUT (policy ACCEPT 507 packets, 83922 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- any any anywhere anywhere
tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
0 0 DROP tcp -- any any anywhere anywhere
tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG
0 0 DROP tcp -- any any anywhere anywhere
tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
0 0 DROP tcp -- any any anywhere anywhere
tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
0 0 DROP tcp -- any any anywhere anywhere
tcp flags:SYN,RST/SYN,RST
0 0 DROP tcp -- any any anywhere anywhere
tcp flags:FIN,SYN/FIN,SYN
7129 2290K ACCEPT all -- any any anywhere anywhere
state RELATED,ESTABLISHED
2 264 ACCEPT tcp -- eth0 any anywhere anywhere
tcp dpt:ssh limit: avg 3/sec burst 5
0 0 ACCEPT tcp -- eth0 any anywhere anywhere
tcp dpt:domain limit: avg 3/sec burst 5
68 4154 ACCEPT udp -- eth0 any anywhere anywhere
udp dpt:domain limit: avg 3/sec burst 5
266 15992 ACCEPT all -- lo any anywhere anywhere
/* Accept everything on loop back (lo) */
3 252 ACCEPT icmp -- any any anywhere anywhere
icmp echo-reply limit: avg 3/sec burst 5
1 88 ACCEPT icmp -- any any anywhere anywhere
icmp destination-unreachable limit: avg 3/sec burst 5
1 84 ACCEPT icmp -- any any anywhere anywhere
icmp echo-request limit: avg 3/sec burst 5
0 0 ACCEPT icmp -- any any anywhere anywhere
icmp time-exceeded limit: avg 3/sec burst 5
90 15357 LOG all -- any any anywhere anywhere
LOG level warning prefix `INPUT ''
90 15357 DROP all -- any any anywhere anywhere
Chain FORWARD (policy ACCEPT 823 packets, 631K bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- any any anywhere anywhere
tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
0 0 DROP tcp -- any any anywhere anywhere
tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG
0 0 DROP tcp -- any any anywhere anywhere
tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
0 0 DROP tcp -- any any anywhere anywhere
tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
0 0 DROP tcp -- any any anywhere anywhere
tcp flags:SYN,RST/SYN,RST
0 0 DROP tcp -- any any anywhere anywhere
tcp flags:FIN,SYN/FIN,SYN
139 20954 ACCEPT all -- any any anywhere anywhere
state RELATED,ESTABLISHED
44 3112 ACCEPT all -- any any anywhere anywhere
PHYSDEV match --physdev-in vif0.0
0 0 ACCEPT all -- any any anywhere anywhere
PHYSDEV match --physdev-in rat.0
0 0 ACCEPT all -- any any anywhere anywhere
PHYSDEV match --physdev-in rat.0
0 0 ACCEPT all -- any any anywhere anywhere
PHYSDEV match --physdev-in pro.0
0 0 ACCEPT tcp -- any any anywhere anywhere
tcp dpt:ssh PHYSDEV match --physdev-out vif0.0 limit: avg 3/sec burst 5
0 0 ACCEPT tcp -- any any anywhere anywhere
tcp dpt:domain PHYSDEV match --physdev-out vif0.0 limit: avg 3/sec burst 5
1 57 ACCEPT udp -- any any anywhere anywhere
udp dpt:domain PHYSDEV match --physdev-out vif0.0 limit: avg 3/sec burst 5
0 0 ACCEPT tcp -- any any anywhere anywhere
tcp dpt:ssh PHYSDEV match --physdev-out rat.0 limit: avg 3/sec burst 5
0 0 ACCEPT tcp -- any any anywhere anywhere
tcp dpt:ssh PHYSDEV match --physdev-out pro.0 limit: avg 3/sec burst 5
0 0 ACCEPT icmp -- any any anywhere anywhere
icmp echo-reply limit: avg 3/sec burst 5
0 0 ACCEPT icmp -- any any anywhere anywhere
icmp destination-unreachable limit: avg 3/sec burst 5
3 252 ACCEPT icmp -- any any anywhere anywhere
icmp echo-request limit: avg 3/sec burst 5
0 0 ACCEPT icmp -- any any anywhere anywhere
icmp time-exceeded limit: avg 3/sec burst 5
9 1161 LOG all -- any any anywhere anywhere
LOG level warning prefix `FORWARD ''
9 1161 DROP all -- any any anywhere anywhere
Chain OUTPUT (policy ACCEPT 470 packets, 560K bytes)
pkts bytes target prot opt in out source destination
7819 4710K ACCEPT all -- any any anywhere anywhere
_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users